Tuesday, November 06, 2012

Why voting machines suck

This video shows that every time the voter touches "Obama" the voting machine selects "Romney" instead. As the comments on the Redit post show, this cannot be a simple "calibration" issue. Is this proof of a malicious intent to change the vote?

Maybe, but maybe not.
As it turns out, despite the proof reported on Reddit, it almost certainly is a "calibration" issue. According to the iVotronic manual, calibrating the touch screen is non-linear, and requires touching it in 20 places:

According to section 7.2.13 of this report, "iVotronic touchscreens can be miscalibrated to deny certain ballot selections". That's what appears to have happened here. Either on purpose or accidentally, the machine appears to have been calibrated to make it very difficult to choose the "Obama" selection.

Moreover, that report stresses that anybody with the electronic "key" can access the calibration menu. This hardware key can easily be gotten from manufacturer or emulated with another device. No password or other control is needed. That means any voter can walk in with this key in their pocket, insert it into the device, enter the calibration menu, and calibrate it to make selecting "Obama" difficult.

Some other interesting references are this Wired article from 2008 and this Matt Blaze post.

Here are some points I want to make.

The first is that we don't get new voting machines every 4 years. Modern calibration-free capacitive displays did not appear until the iPhone came out in 2007. These machines were built in 2001. Voting machines are alway going to be problematic, because they are on average 10 years behind the times in technology.

The second point is that voting machines are never going to be robust like an ATM machine or a slot machine. Those machines are used every day, and people try to hack them every day. Voting machines are used only for one day every two years. These leads to a "security through obscurity" problem. Things that are exposed to hackers get quickly hacked, and quickly fixed. Things that aren't exposed to hackers have lingering, obvious problems with them that never get fixed. This is true for voting machines, SCADA control equipment, and so on.

My third point is that what saves elections isn't the tech in the voting machines, but the tech in mobile phones that can take video like this. Apparently, half a million people have used Instagram to show their ballots, which is apparently illegal in some states. Laws need to change to make taking pictures a core part of preventing election fraud.

Finally, Dan Kaminsky owes me a dollar for betting that these machines probably used capacitive screens and didn't even need calibration.

(BTW, this page is put together simply from Google searches and my Twitter stream; people like Matt Blaze are the go-to authority on voting machines).

2 comments:

A much more fundamental problem with voting machines is their perceived lack of transparency. One of the founding principles of democracy is trust, which is eroded if people believe the machines have been tampered with. Regardless of whether this is actually true.

In the Netherlands, a bunch of IT and security experts convinced the government to ditch machines altogether. After 10+ years of using machines, voting has been done with a red pencil since 2007.